US006088453A United States Patent [19] [11] Patent Number: Shimbo [45] [54] SCHEME FOR COMPUTING MONTGOMERY DIVISION AND MONTGOMERY INVERSE REALIZING FAST IMPLEMENTATION Date of Patent: 6,088,453 Jul. 11, 2000 Burton S. Kaliski Jr., “The Montgomery Inverse And Its Applications”, IEEE Transactions on Computers, vol. 44, No. 8, Aug. 1995, pp. 1064—1065. Tetsutaro Kobayashi, et al., “Modular Inverse Algorithm Optimized By Initial Operations”, Technical Report of IEICE, ISEC97—48, Nov., 1997, pp. 13—23. [75] Inventor: Atsushi Shimbo, Tokyo, Japan [73] Assignee: Kabushiki Kaisha Toshiba, Kawasaki, Japan Primary Examiner—Tod R. SWann [21] Appl. No.: 09/013,209 Assistant Examiner—Justin T. DarroW [22] Filed: Maier & Neustadt, PC. [30] Attorney, Agent, or Firm—Oblon, Spivak, McClelland, Jan. 26, 1998 Foreign Application Priority Data Jan. 27, 1997 [JP] [57] Japan .................................. .. 9-012667 ABSTRACT A scheme for performing high speed Montgomery division [51] Int. Cl.7 .............................. .. H04L 9/28; G06F 7/52; [52] [58] US. Cl. ........................... .. 380/28; 713/100; 708/654 Field of Search ............................. .. 713/100; 380/28; Within the Montgomery space. Montgomery division Y=B~A_1~2” mod N for a positive integer N, a positive integer A Which is relatively prime With respect to N and satisfying 0§A§N, a positive integer B, and an integer n 708/135, 211, 490, 491, 492, 523, 625, 653, 654, 655, 656; 712/14 binary expression, is performed by obtaining a Montgomery G06F 15/00 [56] References Cited U.S. PATENT DOCUMENTS 5,227,978 7/1993 5,321,752 6/1994 Iwamura et a1. Kato ................................. .. 364/47431 5,499,299 3/1996 5,666,419 9/1997 Yamamoto et a1. 5,724,279 3/1998 Benaloh et a1. 5,805,703 9/1998 Takenaka et a1. 380/24 ..... .. .. 380/28 .. 380/28 364/746 Crandall .................................. .. 380/30 OTHER PUBLICATIONS Peter L. Montgomery, “Modular Multiplication Without Trial Division”, Mathematics of Computation, vol. 44, No. 170, Apr., 1985, pp. 519—521. A Which is satisfying nZL Where L is a bit length of N in inverse X=A_1~22” mod N from inputs A and N, and obtain ing the Montgomery division Y=B~X~2_” mod N from the Montgomery inverse X and inputs B and N. Montgomery inverse X=A_1~22” mod N for a positive integer N, a positive integer A Which is relatively prime With respect to N and satisfying 0§A<N, and an integer n Which satis?es nZL Where L is a bit length of N in binary expression, is determined by obtaining an intermediate result C=A_1~2k mod N and a parameter k satisfying L§k§2L from inputs A and N, and obtaining the Montgomery inverse X=C~22”_k mod N from the intermediate result C and the parameter k and input N. 43 Claims, 22 Drawing Sheets P /MONTGOMERY INVERSE CALCULATION UNIT 201 B /MONTGOMERY MULTIPLICATION UNIT 202 /\/MONTGOMERY DIVISION DEVICE 200 U.S. Patent Jul. 11,2000 Sheet 1 0f 22 6,088,453 FIG. 1 I Zp MONTGOMERY SPACE DOMAIN INTEGER IN [O,p~l] INTEGER IN [0,p-l] ELEMENT a=AR‘1 mod p A=aR mod P INVERSE X Satisfying ax=1 mod p X satisfying Ax=R2 mod p ADDITION a+b mod p A+B mod p SUBTRACTION a-b mod p A-B mod p MULTIPLICATION ab mod p AER-1 mod p bla=bai rnod p B/A=BAiR"l mod p DIVISION (where a1 is an (where A1 is an inverse of a) inverse of A) U.S. Patent Jul. 11,2000 FIG. 2A FIG. 2B A=a2n mod p ax=1 mod p p=23 (n=5) 6,088,453 Sheet 2 0f 22 p=23 (n=5) FIG. 2C AX=22n mod p p=23 (n=5) 0123456789 0984327165 1234567890 1286403759 1234567890. 264375918.0 12 12 12 121 221112 1l2 U.S. Patent Jul. 11,2000 Sheet 4 0f 22 FIG. 4 START I OBTAIN v=-N-1 mod R /JS101 V W=((T modTIAB R)'V)) mod R //S103 V T=T+WN T=T/R #5105 S106 T>N? YES I TIT-N END NO 6,088,453 U.S. Patent Jul. 11,2000 Sheet 5 0f 22 6,088,453 FIG. 5 ‘ START ’ OBTAIN vO=-N0-1 mod b S201 SET T=O SET i=0 // V . S202 T=T+aiBb1 /" " mi=tiv0 mod b // $203 \ . T=T+miNb1 /“ i=i+l /“ T=TlR S204 S205 /_/S207 S208 T>N? NO YES \ T:T_N END //S209 U.S. Patent Jul. 11,2000 Sheet 6 0f 22 6,088,453 5m2u0Ns/3a6 m§w2E/ogz\ Z(mOaE5LU2MlD: \ @.UE M U QOE.UEVMAHN > U3QEVNMSUACHX U.S. Patent Jul. 11, 2000 6,088,453 Sheet 7 0f 22 FIG. 7A ( START ’ V VARIABLE INITIALIZATION U=p,V:A,T=O,S: l ,k:0 M3401 S402 S404 NO V:V_U M5406 f RIGHT SHIFTING v NS407 (MULTIPLY v BY 1/2) " S:T+S S408 N V LEFT SHIPTING T M5409 (MULTIPLY T BY 2) ‘ ® I k=k +1 —I M5410 U.S. Patent Jul. 11,2000 Sheet 8 0f 22 ERROR PROCESSING FIG. 7C FIG. 7E @ @ RIGHT SHIFTING U (MULTIPLY U BY 1/2) I LEFT SHIFTING S (MULTIPLY S BY 2) M5411 #5412 I RIGHT SHIPTING U (MULTIPLY U BY 1/2) @ I FIG. 7D LEFT SHIFI‘ING S RIGHT SHIFTING V (MULTIPLY V BY l/2) I LEFT SHIFTING T (MULTIPLY T BY 2) @ I (MULTIPLY S BY 2) M5413 #5414 é 6,088,453 Ns423 M5415 NS416 Ns417 NS418 U.S. Patent Jul. 11,2000 Sheet 9 0f 22 6,088,453 FIG. 8 ( START ) I S501“ VARIABLE INITIALIZATION L=2n,i=0 s50 2\/\ ' m=L-k OUTPUT T S504“ (MULTIPLY LEFT SHIFTING T T BY 2) S505 @ NO YES S506“ T=T_p S507“ i=i+1 Nssos U.S. Patent FIG. 9A FIG. 9B Jul. 11, 2000 Sheet 10 0f 22 INITIAL VALUE 1ST LOOP 2ND LOOP 3RD LOOP 4TH LOOP U(=p) 10111 00010 00001 00001 00001 V(=A) 10011 10011 10011 01001 00100 T 0 1 1 10 100 S I 10 100 101 111 k 0 1 2 3 4 5TH LOOP 6TH LOOP 7TH LOOP U ( = p) 00001 00001 00001 V ( =A) 00010 00001 00000 T 1000 10000 100000 S 111 111 101 1 1 k 5 6 7 T INITIAL VALUE FIG. 9C 6,088,453 1110 1ST LEFT SHIFTING 1 1100 LOOP SUBTRACTING p 101 2ND LOOP LEFT SHIFTING 1010 3RD LOOP LEFT SHIFTING 10100 OUTPUT VALUE 1110 7 U.S. Patent Sheet 11 0f 22 Jul. 11,2000 FIG. 10A @ NS601 VARIABLE INITIALIZATION r -<>0? S602 NO YES w<—LENGTI-I OF CONSECUTIVE '0' FROM LSB OF U NS603 S604 YES NO w‘-LENGTH OF CONSECUTIVE ‘0' FROM LSB OF V RIGHT SHIFTING V (MULTIPLY V BY l/Z) I I LEFT SHIFTING T (MULTIPLY T BY 2) I 6,088,453 U.S. Patent Jul. 11,2000 FIG. 10B RIGHT SHIFTING U BY w BITS Sheet 12 0f 22 FIG. 10C NS613 RIGHT SHIFTING V (MULTIPLY BY w VBITS BY I/ZW) (MULTIPLY U BY l/2W) I I LEFT SHIFTING S LEFT SHIFTING T BY w BITS M8614 (MULTIPLY BY W BITS T BY 2W) (MULTIPLY S BY 2W) I 6,088,453 S615 I kzkw kvS618 @ FIG. 10D (3) I RIGHT SHIFTING U (MULTIPLY U BY 1/2) I I LEFT SHIPTING S (MULTIPLY S BY 2) I @ S628 ERROR PROCESSING U.S. Patent Jul. 11,2000 6,088,453 Sheet 13 0f 22 FIG.11A M5701 VARIABLE INITIALIZATION L=2n,i=0 \ m:L_k v M8702 S711 S703 <m? // NO OUTPUT T YES V V w<-—LENGTH OF CONSECUTIVE '0' FROM MSB OF T #8704 LEFT SHIFTING T (MULTIPLY BY W BITS T BY 2W) S708 Tgp? NO YES T=T_p v i=i+w M5709 END U.S. Patent Jul. 11,2000 ? M3715 NS712 (MULTIPLY T BY 2) T=T_p 6,088,453 FIG. 11C FIG. 11B LEFT SHIFTING T Sheet 14 0f 22 #8713 LEFT SHIFTING T BY w BITS NS716 (MULTIPLY T BY 2W) V i=i+l 0 M3717 U.S. Patent Sheet 15 0f 22 Jul. 11,2000 FIG. 12A @ VARIABLE INITIALIZATION \ Nss01 S802 YES w‘vLENGTH OF CONSECUTIVE '0' FROM LSB OF U M8803 S804 NO W<—LENGTH OF CONSECUTIVE '0' FROM LSB OF V w<—LENGTH OF CONSECUTIVE '0' FROM LSB OF V I RIGHT SHIFTING V BY w BITS (MULTIPLY V BY l/2W) I I S=S+T I LEFT SHIFTING T BY w BITS (MULTIPLY T BY 2"") #8805 6,088,453 U.S. Patent Jul. 11,2000 Sheet 16 0f 22 6,088,453 FIG. 12C FIG. 12B @ @ RIGHT SHIFTING v RIGHT SHIFTING U BY w BITS ~38” (MULTIPLY v BY 1/2W) BY w BITS (MULTIPLY U BY 1/2‘”) Jr LEFT SHIFTING T LEFT SHIFI‘ING S BY w BITS ?/sslg (MULTIPLY T BY 2W) BY w BITS (MULTIPLY S BY 2“’) \lr k=k+w P3819 S830 ERROR PROCESSING w<—LENGTH OF CONSECUTIVE '0‘ FROM LSB OF U \P RIGHT SHIFTING U BY w BITS M8822 (MULTIPLY U BY l/2W) k/S823 LEFT SHIFI'ING S BY w BITS (MULTIPLY S BY 2w) B NSB24
© Copyright 2026 Paperzz